For the better part of a year before the terrorist attacks on September 11, 2001, I was part of a small team at the U.S. Chamber of Commerce trying to solve a problem. Most critical infrastructure is owned by private industry, but government has a national security interest in ensuring they are secure. So, how do we get industry and government to work together to secure it? The importance of this nascent project was made clear on 9-11.
Since then, I have been fortunate to have a center seat at the national effort to solve this riddle. From forging information relationships to share critical intelligence, to establishing the legal and governance framework that enables industry and government to set policy priorities, we have accomplished much since that dark day. But there is much work to be done.
Before looking at the work that is left, we should look at where we were on 9/11. The attacks drove home several key points relevant to Critical Infrastructure Protection. Among them were:
- The Need for Industry-Government Collaboration: Prior to September 11, there was a group of industry leaders who understood the importance of “Critical Infrastructure Protection.” But there was not a well-articulated business case for industry-government collaboration. Industry viewed “Partnership” as better than regulation, and government knew it could not regulate the country into security, but we were struggling to define the partnership structures, priorities, roles, responsibilities, and outcomes. Although work on the public-private partnership began prior to 9/11, the attacks created a sense of urgency and propelled action.
- The Importance of Understanding Cross Sector Interdependencies: As 9/11 approached, we collectively were still trying to understand sector-specific risks. In fact, we were trying to understand how to understand sector-specific risks. Evaluating cross–sector dependencies was a distant goal. We knew we needed to look at how an incident in one sector can impact another, but we had other priorities. This changed on September 11 when communications were lost, and our transportation system was crippled.
- The Value of Achieving Situational Awareness: Once the second plane struck the World Trade Center, it was clear we had a major intelligence failure. But The 9-11 Commission Report revealed that elements of the national security apparatus had individual pieces of intelligence that on their own did not mean much. But these pieces were part of a larger puzzle that, when taken together, provided a more complete picture. We did not have the capacity to share information within government, let alone between government and industry. As a result, no one had overall situational awareness.
Progress to Date
The September 11 attacks led to a vast restructuring of government through the creation of the Department of Homeland Security and a renewed focus on industry-government engagement. Progress has not always been quick or easy. As in any partnership, the partners do not always agree. The truth is there have been times when government has not been a great partner. Some in government may hold the same view of industry. But progress nonetheless has been substantial. Of course, we need to do more, but we should take note of what has been achieved.
Establishing Legal and Operating Frameworks to Ensure Sustained, Scalable Collaboration Between Industry and Government. The Homeland Security Act of 2002 established the Critical Infrastructure Advisory Council (CIPAC). Normally, the establishment of a government committee is not a significant accomplishment. However, the CIPAC Framework formalized and gave legal protections to industry-government collaboration. CIPAC provided a much-needed boost to industry-government engagement and has had tangible results.
The biggest value of CIPAC is that it enables industry and government to collaborate on policy and strategy development. The IT Sector Baseline Risk Assessment, developed through CIPAC, released in 2009 developed a “functions” based approach, as opposed to an assets based approach, to risk assessments. This approach was adopted by DHS with its “National Critical Functions” approach to risk management announced by CISA 10 years later in April 2019. Essential planning and response documents such as the National Infrastructure Protection Plan and the National Incident Response Framework were built leveraging the CIPAC structure. CIPAC is being used to improve cyber threat information sharing, to secure the ICT supply chain through the work of the ICT Supply Chain Risk Management Task Force, to conduct interdependency analysis, and to identify and protect critical national functions. Engagement through CIPAC has not been flawless and implementing some of the actions in the various plans has been challenging. Nonetheless, CIPAC provides the necessary structure for consistent, scalable engagement between industry and government collaboration on pressing security and policy challenges.
Private Sector Information Sharing: Since 9-11, we have built a network of mature, connected, and highly capable industry-specific Information Sharing and Analysis Centers that share threats and help enterprises manage risks. While several sectors such as the IT Sector had established an Information Sharing and Analysis Center prior to 9/11, the attacks propelled other sectors to form ISACs. By 2003, there were enough sector-specific ISACs to establish the ISAC Council. Today, there are 26 ISACs across the 16 critical infrastructure sectors encompassing thousands of companies coordinating through the National Council of ISACs (NCI). Some sectors, such as Communications, have two recognized ISACs, the Communications ISAC and CyberShare, the Small Broadband Provider ISAC. ISACs provide a trusted forum to help members respond to attacks. The success of ISACs and the value they provide are not fully appreciated.
We are also seeing innovative partnerships within and across information sharing communities. The CompTIA ISAO has partnered with the IT-ISAC for the IT-ISAC to provide curated intelligence and incident reporting for the MSP and the MSSP communities that are the core of the CompTIA ISAO membership. The IT-ISAC also established Special Interest Groups for sharing with companies in the Elections and Food and Agriculture industries, which otherwise do not have an industry only venue to share with peers. Innovation and collaborative partnerships such as these will continue to drive real operational value across industry.
Government Information Sharing: Yes, government information sharing is not where it needs to be. But when you consider where information sharing stood on September 11, 2001, to today, there has been substantial progress. This owes a great deal to then Assistant Secretary for Cybersecurity Greg Garcia’s efforts in 2007 to integrate US CERT with the NCC Watch. This eventually became the National Cybersecurity and Communications Integration Center (NCCIC), which is now part of CISA. This center serves as a single point of engagement between industry and government and provides opportunities for industry and government to collaborate to identify, mitigate and recover from cyberattacks.
“ISACs provide a trusted forum to help members respond to attacks. The success of ISACs and the value they provide are not fully appreciated.”
In addition, the development and use of automation to share cyber threat indicators at scale has made it easier to share and consume indicators at scale, which can be easily integrated into security tools. No more copying and pasting indicators from Excel sheets and PDFs. This does not solve all information sharing issues, of course. However, sharing indicators has improved so much that we have moved from one problem — nobody is sharing indicators — to another, in that there are so many indicators it is hard to tell which indicators are relevant. Thanks to advancement in security technologies and trusted relationships through various peer groups we are making great progress in turning information into actionable intelligence and analysis. This is not to say that the progress made to date is enough. It’s not, and we should be further along today than where we are. But an honest assessment must acknowledge this progress, even if the task is incomplete.
Despite this progress, there remains much to do. The Internet is vastly different today than it was 20 years ago. Consider that in August 2001, it is estimated that there were 513 million Internet users, or 8.6 percent of the world’s then-population. In March 2021, it is estimated that there were 5.168 billion Internet users, or 65.6 percent of the world’s population. Not surprisingly there are a lot of devices connected to the Internet. According to a March 2020 Cisco White Paper, there will be 29.3 billion devices connected to the Internet in 2023. This represents more than three times the global population!
Collectively, these devices propel today’s digital economy. They enable complex supply chains to operate with just-in-time delivery. They enable people to share critical information in real time. They store some of the most sensitive national security and corporate information. They streamline critical manufacturing processes. This digital infrastructure underpins today’s critical infrastructure.
It is not surprising, therefore, that the cyberthreat is vastly different than it was 20 years ago. The digital infrastructure is under constant cyber assault. Well-funded nation-states are targeting private and government networks. There is an entire underground economy in which highly skilled cyber criminals sell their capabilities for nefarious purposes and personal profit. Sophisticated criminal gangs collaborate to attack enterprises. Tools once reserved only to nation states are available to cyber criminals. We need to keep pace with this threat.
Unfortunately, we are struggling to do so. The expanded attack surface and interconnectedness combined with a complex array of threat actors poses significant challenges to both network defenders and policy makers. Meeting today’s challenges and preparing for those to come requires a much more fulsome partnership more fully operationalized within the partnership model. There are some core areas where an improved partnership is necessary:
Building a National Cyber Strategy: Larry Clinton at the Internet Security Alliance has an interesting blog noting that the U.S. does not have a national cyber strategy. Yes, cybersecurity is incorporated into elements of documents such as the National Infrastructure Plan. But many of our nation-state competitors have a cyber strategy and are implementing theirs with great consequences to us. A national strategy will help identify priorities and guide everything from regulatory harmonization, law enforcement and diplomatic strategies, and rethinking the economics of cybersecurity. Absent a national vision and organizing principle that guides our work, how do we know whether what we are doing is what we should be doing?
Too often, there is a lack of prioritization within our work. Priorities often seem driven by news or current events, running from one shiny object to the next. The collective amount of time wasted creating recommendations that were never implemented is immense. A multi-month effort to “refresh” the National Infrastructure Protection Plan has melted away without any explanation. A framework to implement DHS’ “Collective Defense” strategy was ignored. Numerous recommendations from DHS’ CyberStorm Exercise remain unimplemented. This is a tremendous waste of limited resources.
CISA’s Joint Cyber Defense Collaborative can be an effective tool to identify and implement joint priorities. To meet its goal of building a whole of nation capability, JCDC leadership should establish a working group composed of members of the Cross Sector Coordinating Council, the National Council of ISACs and other established and successful pillars of the national partnership model. Collaborating with these partners will not only build goodwill and support, it also will increase the chances of success by ensuring the ideas and needs of these partners are addressed at the formation and not “added in” after the JCDC is operational.
Building a Cohesive, Integrated, National Cyber Warning and Response Capability: While the progress we have made in developing information sharing relationships is impressive, it is not nearly enough. We are still struggling to turn separate initiatives into an integrated national capability. There are a lot of relationships between industry and government, but this has yet to translate into a capability that brings a national common operating picture accessible to industry and government. The 2009 NSTAC Cybersecurity Collaboration Task Force Report and accompanying Concept of Operations provided a public-partnership framework to implement this capability, but it was not implemented. Despite all the resources available to CISA, the NCCIC does not have sector-specific cybersecurity analysts charged with engaging their respective sector. There is no designated NCCIC analyst, for example, for the IT Sector.
Key industry input in the development of the latest National Cyber Incident response plan was disregarded. Government made the decision to remove standing industry representation from the Cyber Unified Coordination Group (Cyber UCG), which is charged with coordinating responses to significant cyber incidents. As such, there is no formal, repeatable way to engage across industry during significant cyber incidents. This can be easily solved by working with the National Council of ISACs and the Cross Sector Coordinating Council to ensure a limited number of representatives of the critical infrastructure community are engaged with the Cyber UCG.
To increase the amount of information available to government, there have been an increasing number of proposals to require companies to report incidents to CISA. Much of the discussion on mandatory reporting has focused on the benefits to government. There has been less discussion as to how mandatory reporting will result in benefits to industry. Industry has a finite number of security resources. If it is to divert security resources to compliance, then government must improve its ability to provide industry timely, insightful, and actionable analysis, intelligence, and mitigations. Success also hinges on implementing clear guidance on what information needs to be reported, harmonizing reporting requirements, streamlining reporting across multiple agencies, and providing liability and regulatory protections to the information that is shared.
The movement toward mandatory reporting of cyber incidents is a fundamental shift in the partnership model. It has the potential to change CISA’s role from a trusted partner to regulator, or at least a semi-regulator, threatening to disrupt the trust that has been painstakingly established. While this shift could bring benefits, the implications of this shift are not yet fully understood.
Imposing Costs on Adversaries: The economics of cybersecurity favor the bad guys. It is cheaper to attack than to defend. The chances of making money are high while the risks of getting caught are low. Many cybercriminals live in countries out of reach from U.S. law enforcement and most criminals are never arrested despite the excellent work of our law enforcement agencies. Nation-state actors make the same calculus — they can get away with it. The attacks will continue until we impose real consequences on those attacking us.
Cybersecurity is the only industry in which the victim is consistently blamed. We do not blame a convenience store when it is robbed. We do not blame retail stores for being victimized by shoplifters. But when a company is victimized by a cyberattack, the tendency is to blame the company. We can fine companies, impose mandates, require them to share, and impose regulations, but the truth is that the “cost-benefit” analysis favors the attackers. Until this changes, companies will continue to be victimized. We have made near-zero progress over the years in effectively imposing costs on those who attack us. We need a strategy that deters and punishes such behavior.
Blended Threats: As noted, the 9/11 attacks demonstrated the importance of understanding cross-sector dependencies — how an incident on one sector can impact others. In the same way, we need a better understanding of cyber and physical intertwine. As more devices are connected to the Internet not only does the attack surface expand, but so does the potential impact of the attack.
One recent example of a blended threat is the attack Colonial Pipeline. The company had to suspend core operations not because the attack crippled its ability to transmit product, but because of the impact on its business systems. The inability to transmit product caused gas shortages across the east coast. Likewise, the attack on JBS USA lead to it shutting down its beef processing. The disruption to the food supply chain was not insignificant. We need to better understand these blended threats both at the individual corporate and national level.
Cyber Capacity Building: We cannot solve cybersecurity from Washington D.C. CISA cannot be expected to respond to every incident impacting a critical infrastructure or local government. It cannot provide cyber analytics that meet the unique needs of every business. Instead, we need a sustained effort to engage communities outside of Washington, D.C., to empower them to better defend themselves. This includes not only providing resources with best practices on network defense, but helping communities build the technical skills and partnerships needed for incident response and analysis. There is a critical shortage of cyber talent, especially outside of major metropolitan areas. We can build capacity by increasing the cybersecurity workforce so that organizations have access to cyber talent. We also need to build the capacity of the nation so that we can respond to thousands of simultaneous cyberattacks on communities across America.
In the same way, engaging with small- and medium-sized enterprises — to include businesses, local and tribal governments, and nonprofit organizations — has been a challenge from the beginning and is one we need to resolve. Unfortunately, the need to address this community has never been more pressing. These enterprises are increasingly targeted and need help. Most small enterprises do not understand the threats facing them and often do not have substantial resources to invest in security. As such they remain ill-prepared to face cybersecurity threats specifically, and security risks more generally. We need a coordinated, sustained strategy to provide adequate guidance and resources to small- and medium-sized businesses who are getting hammered.
The work we have done over the past 20 years is important and meaningful. We have made substantial progress and had real impact. A key lesson from the past two decades is that we are most successful when government and industry are equal partners in determining priorities and implementing strategies.
But we are at a critical juncture in the public-private partnership model. The cyber threat has never been more complex and will continue to become even more complex. At the same time, there are signs that the partnership model is changing. Industry is increasingly referred to as “Stakeholders” rather than “Partners.” Through executive actions, regulations, mandates, and legislation, there is an increasing trend in which government is imposing key policies and priorities with little to no industry input, with the promise to “partner” with industry on implementation. This is not a roadmap to continued success.
These are complex problems that cannot be solved alone by well-intentioned government solutions. The path forward should be to recommit to, improve on and operationalize established partnerships. Engage across industry and government as equal partners to build a national strategy that identifies key priorities and responsibilities. CISA Director Jen Easterly recently commented on the need to “institutionalize” public-private partnerships. History demonstrates that when done properly this approach results in success. But it must be a partnership of equals.
Neither industry nor government can secure our critical infrastructure alone. Both have important and essential insights that inform the other. Let’s continue moving forward in partnership on the important work we must do together.
One Final Thought
Any commentary on the September 11 attacks is not complete without remembering the 2,977 people who died that day, including 343 New York City firefighters, 23 New York City Police Officers, and 37 Port Authority Police Officers. Twenty years later, we must also note the tremendous sacrifice of our men and women in uniform who have consistently answered the call to defend this great country by taking the fight to the terrorists. To all those who have served, thank you! To those who have suffered loss, I pray that the Lord brings you his comfort and peace. Your service and loss are not in vain. It has kept us safe and secure.